From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753935AbbEOGXg (ORCPT ); Fri, 15 May 2015 02:23:36 -0400 Received: from mail-la0-f51.google.com ([209.85.215.51]:36656 "EHLO mail-la0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753643AbbEOGXb (ORCPT ); Fri, 15 May 2015 02:23:31 -0400 MIME-Version: 1.0 In-Reply-To: <20150515023221.GC965@madcap2.tricolour.ca> References: <20150512195759.GA9832@madcap2.tricolour.ca> <2918460.dpKocsKt4o@x2> <12675437.ssZNCck7zG@sifl> <20150515023221.GC965@madcap2.tricolour.ca> From: Andy Lutomirski Date: Thu, 14 May 2015 23:23:09 -0700 Message-ID: Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances To: Richard Guy Briggs Cc: Paul Moore , Steve Grubb , "Eric W. Biederman" , Linux Containers , "linux-kernel@vger.kernel.org" , linux-audit@redhat.com, Eric Paris , arozansk@redhat.com, "Serge E. Hallyn" , Mimi Zohar , Al Viro , Linux FS Devel , Linux API , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs wrote: > On 15/05/14, Paul Moore wrote: >> * Look at our existing audit records to determine which records should have >> namespace and container ID tokens added. We may only want to add the >> additional fields in the case where the namespace/container ID tokens are not >> the init namespace. > > If we have a record that ties a set of namespace IDs with a container > ID, then I expect we only need to list the containerID along with auid > and sessionID. The problem here is that the kernel has no concept of a "container", and I don't think it makes any sense to add one just for audit. "Container" is a marketing term used by some userspace tools. I can imagine that both audit could benefit from a concept of a namespace *path* that understands nesting (e.g. root/2/5/1 or something along those lines). Mapping these to "containers" belongs in userspace, I think. --Andy From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Lutomirski Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Date: Thu, 14 May 2015 23:23:09 -0700 Message-ID: References: <20150512195759.GA9832@madcap2.tricolour.ca> <2918460.dpKocsKt4o@x2> <12675437.ssZNCck7zG@sifl> <20150515023221.GC965@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: Paul Moore , Steve Grubb , "Eric W. Biederman" , Linux Containers , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , linux-audit-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, Eric Paris , arozansk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, "Serge E. Hallyn" , Mimi Zohar , Al Viro , Linux FS Devel , Linux API , Network Development To: Richard Guy Briggs Return-path: In-Reply-To: <20150515023221.GC965-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: netdev.vger.kernel.org On Thu, May 14, 2015 at 7:32 PM, Richard Guy Briggs wrote: > On 15/05/14, Paul Moore wrote: >> * Look at our existing audit records to determine which records should have >> namespace and container ID tokens added. We may only want to add the >> additional fields in the case where the namespace/container ID tokens are not >> the init namespace. > > If we have a record that ties a set of namespace IDs with a container > ID, then I expect we only need to list the containerID along with auid > and sessionID. The problem here is that the kernel has no concept of a "container", and I don't think it makes any sense to add one just for audit. "Container" is a marketing term used by some userspace tools. I can imagine that both audit could benefit from a concept of a namespace *path* that understands nesting (e.g. root/2/5/1 or something along those lines). Mapping these to "containers" belongs in userspace, I think. --Andy